Home > Vulnerability Database > CVE-2024-35239

Mend.io Vulnerability Database

CVE-2024-35239

Good to know:

Date: May 28, 2024

Umbraco Commerce is an open source dotnet web forms solution. In affected versions an authenticated user that has access to edit Forms may inject unsafe code into Forms components. This issue can be mitigated by configuring TitleAndDescription:AllowUnsafeHtmlRendering after upgrading to one of the patched versions (13.0.1, 12.2.2, 10.5.3, 8.13.13).

Language: C#

Severity Score

2.7

Related Resources (9)

Url: https://github.com/umbraco/Umbraco.Forms.Issues

Url: https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-p572-p2rj-q5f4

Url: https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes

Url: https://docs.umbraco.com/umbraco-forms/v/12.forms.latest/release-notes#id-12.2.2-january-16th-2024

Url: https://docs.umbraco.com/umbraco-forms/developer/configuration#editing-configuration-values

Url: https://docs.umbraco.com/umbraco-forms/release-notes#id-13.0.1-january-16th-2024

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-35239

Url: https://docs.umbraco.com/umbraco-forms/v/10.forms.latest/release-notes#version-8

Url: https://www.mend.io/vulnerability-database/CVE-2024-35239

Severity Score

2.7

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version Umbraco.Forms - 12.2.2;Umbraco.Forms - 10.5.3;Umbraco.Forms - 13.0.1

Learn More

CVSS v3.1

Base Score:	2.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-35239

Good to know:

Date: May 28, 2024

Language: C#

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?